It’s a good to idea to regularly look through the logs of your website. You’ll often find something interesting. In March 2013 I was looking through the web logs for my seating planner software and I noticed the number of downloads of the Windows version of my software had gone up by a factor of 5, compared to the previous month. Everything else stayed pretty much the same:
- The number of visits to the download page hardly changed.
- The number of completed Windows installs hardly changed.
- The number of downloads of my Mac installer hardly changed.
Odd. On further investigation it turned out that a number of Chinese IP addresses were downloading my Windows installer again and again. My software is not localised into Chinese and I get very few sales from China. Also there were no installs from these IP addresses (my software puts up a ‘thank you for trying’ page when it is first run). It was a substantial increase in bandwidth, but not enough to be a serious denial of service attack. Very odd.
I am on an unlimited bandwidth hosting contract so I wasn’t paying for the extra bandwidth. But I was worried that the volume of requests would slow down my web site. So I put a .htaccess file in the downloads directory to block the worst offenders.
After a few months I got the bandwidth from China down from ~30GB per day to ~100MB per day. I have been playing this game of ‘whack a mole’ every since. Currently I have some 1700 Chinese IP addresses blocked.
PerfectTablePlan for Windows downloads per month 2013/2014
As an example I recently blocked IP 211.136.10.56, which was downloading PerfectTablePlan around 20 times per day, but never visiting a page on my website.
Here are the logs from one day (via Web Log Storming), picked at random before I blocked their IP:
And here is one of those records in more detail:
Web Log Storming classifies it as a ‘spider’. whois.domaintools.com says the IP belongs to ‘China Mobile Communications Corporation’. The IP is not listed on projecthoneypot.org and I wasn’t able to find out any more from casual Googling.
To block the this IP I just added this line to my .htaccess file:
Deny from 211.136.10.56
But it is a bit of a nuisance to keep having to do this.
Other software companies are having similar issues. But I haven’t come across any compelling answers about why this is happening. Perhaps it is a way of masking some other nefarious activity? Does anyone have any idea what is going on?
Successful Software 
About 10 years or so ago we noticed that our software was being downloaded multiple times each time a customer logged into the download the software. They are on unique short lifetime URLs so they can’t be kept as a permanent URL.
Why would a customer download more than once? Investigating showed that they weren’t – the other downloads were typically from addresses in Japan.
What we think was happening is that there are trojans installed on many users machines and these watch for any user of a web browser downloading software. The trojan then sends the download URL to the control centre (which is in Japan in our case) and the Japanese server then downloads it. It’s like a giant software hoover which downloads any software it can get it’s hands on. I suspect you are on the receiving end of something like this.
We put some logic on our website to deny these software hoover downloads.
If you look at the log above it is download the same file from the same IP almost exactly once an hour. It is very regular. I don’t think your explanation accounts for that.
We had a simliar thing happen on a couple of our BoS Conference videos that ended up getting watched a couple of hundred thousand times each over the course of a week. Cost us extra hosting but it stopped suddenly too. Seems a totally pointless exercise though.
I wonder if it is a cover for something else?
It’s a Chinese attempt to damage western companies by increasing their hosting charges. That’s why they do it in short, sharp bursts so that you don’t bother to fix it.
I’ve seen this sort of behavior on and off for a couple years. Currently, like you, my problem IP is China Mobile. Like you, I block ’em.
Sometimes, in the past, I’ve seen similar behavior from all other the world, even Europe and North America, but in those cases often the traffic is in bursts, then changes IP and follows a similar pattern, leading me to believe the users at those IPs had a trojan that was doing the downloading. When the IP changes, it’s impossible to block (whack-a-mole), but the Chinese ones usually use the same IP for a while.
I’ve always puzzled what the purpose is. I’ve assumed runaway ‘bots, but your idea about masking other activity sounds plausible. Let us know if you find out more.
China Mobile Cache Servers, Mutiple normal users may downloaded this file ,then the cache system logging this action in order to save network traffic,but the problem is the frequency ,unreasonable cache setting
That sounds like the most plausible explanation so far. It also fits with “Never attribute to malice that which can be attributed to incompetence”.
Indeed, it’s probably (mis)configuration on their part. Our registrar, for example, allows a maximum of six hours for DNS TTLs.
Looks like your question is answered but if you’re really-really curious, you might want to follow up with the owner of the IP address.
I emailed abuse@chinamobile.com a few days ago. No response.
It can be a sort of Denial of Service attack, just put load on the server.